diff --git a/MANIFEST.in b/MANIFEST.in
index 4bb3b0850..893801ea1 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -1,10 +1,13 @@
 include dom0/*.sls
 include dom0/*.top
+<<<<<<< HEAD
 include dom0/*.j2
 include dom0/securedrop-update
 include dom0/securedrop-login
 include dom0/securedrop-launcher.desktop
 include dom0/securedrop-handle-upgrade
+=======
+>>>>>>> Remove legacy updater code & references to it; correctly remove symlink
 include config.json.example
 include README.md
 include LICENSE
diff --git a/README.md b/README.md
index 631e9c20c..cbfd5ff6d 100644
--- a/README.md
+++ b/README.md
@@ -199,7 +199,7 @@ Be aware that running tests *will* power down running SecureDrop VMs, and may re
 
 ### Automatic updates
 
-The `securedrop-update` script will automatically update packages in all TemplateVMs, as well as `dom0`, as part of a daily cron job. This script will also run the salt provisioning logic to ensure the state is consistent. Because AppVMs must be rebooted after a TemplateVM upgrade, a message will inform users to reboot their workstations to apply changes.
+Double-clicking the "SecureDrop" desktop icon will launch a preflight updater that applies any necessary updates to VMs, and may prompt a reboot.
 
 To update workstation provisioning logic, one must use the `sd-dev` AppVM that was created during the install. From your checkout directory, run the following commands (replace `<tag>` with the tag of the release you are working with):
 
diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls
index 461c774c7..257b20bf5 100644
--- a/dom0/sd-clean-all.sls
+++ b/dom0/sd-clean-all.sls
@@ -12,9 +12,7 @@ remove-dom0-sdw-config-files:
     - names:
       - /opt/securedrop
       - /etc/yum.repos.d/securedrop-workstation-dom0.repo
-      - /usr/bin/securedrop-update
       - /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
-      - /etc/cron.daily/securedrop-update-cron
       - /usr/share/securedrop/icons
       - /home/{{ gui_user }}/.config/autostart/SDWLogin.desktop
       - /usr/bin/securedrop-login
diff --git a/dom0/sd-dom0-files.sls b/dom0/sd-dom0-files.sls
index 4cc38c34e..fa3df1fd2 100644
--- a/dom0/sd-dom0-files.sls
+++ b/dom0/sd-dom0-files.sls
@@ -64,20 +64,16 @@ dom0-install-securedrop-workstation-template:
       - file: dom0-workstation-rpm-repo
       - pkg: dom0-remove-securedrop-workstation-stretch-template
 
-# Copy script to system location so admins can run ad-hoc
+# Remove the legacy auto updater script
 dom0-update-securedrop-script:
-  file.managed:
+  file.absent:
     - name: /usr/bin/securedrop-update
-    - source: salt://securedrop-update
-    - user: root
-    - group: root
-    - mode: 755
 
-# Symlink update script into cron, for single point of update
+
+# Remove symlink to legacy updater
 dom0-update-securedrop-script-cron:
-  file.symlink:
+  file.absent:
     - name: /etc/cron.daily/securedrop-update-cron
-    - target: /usr/bin/securedrop-update
 
 # Create directory for storing SecureDrop-specific icons
 dom0-securedrop-icons-directory:
diff --git a/dom0/securedrop-update b/dom0/securedrop-update
deleted file mode 100755
index e9d6060e7..000000000
--- a/dom0/securedrop-update
+++ /dev/null
@@ -1,66 +0,0 @@
-#!/bin/bash
-# Utility for dom- to ensure all updates are regularly installed
-set -e
-set -u
-
-# Number of VMs to update in parallel. Default is 4,
-# which can be memory-intensive.
-SECUREDROP_MAX_CONCURRENCY=2
-
-
-# Ensure elevated privileges
-if [[ "$EUID" -ne 0 ]]; then
-    echo "Script must be run as root! Exiting..."
-    exit 1
-fi
-
-# Display GUI feedback about update process
-function securedrop-update-feedback() {
-    # Unpack msg as arg1
-    local msg="$1"
-    shift
-
-    # Running `notify-send` as root doesn't work, must be normal user.
-    # Setting 60s expire time (in ms) since it's a long-running cmd.
-    local qubes_user
-    qubes_user="$(id -nu 1000)"
-    su "$qubes_user" -c "notify-send \
-        --app-name 'SecureDrop Workstation' \
-        --icon /usr/share/securedrop/icons/sd-logo.png \
-        --expire-time 60000 \
-        'SecureDrop: $msg'"
-}
-
-function get_sdw_target_vms() {
-    qvm-ls --tags sd-workstation-updates --raw-data --fields NAME,CLASS \
-        | perl -F'\|' -lanE 'say $F[0] if $F[1] eq "TemplateVM"' \
-        | perl -npE 's/\n/,/g' \
-        | perl -npE 's/,$//'
-}
-
-securedrop-update-feedback "Updating dom0 configuration..."
-
-# Install latest RPMs inside dom0
-qubesctl state.sls update.qubes-dom0
-
-# Configure VM state (network settings, RPC policies)
-securedrop-update-feedback "Updating VM configuration..."
-qubesctl state.highstate
-
-securedrop-update-feedback "Installing updates for VM applications..."
-
-qubesctl --skip-dom0 --targets fedora-30 state.sls update.qubes-vm
-
-# Format list of all VMs comma-separated, for use as qubesctl target
-sdw_target_vms="$(get_sdw_target_vms)"
-
-# Use the Qubes-provided "update.qubes-vm" state to upgrade packages
-# Update all SDW templates.
-qubesctl --skip-dom0 \
-    --max-concurrency "$SECUREDROP_MAX_CONCURRENCY" \
-    --targets "$sdw_target_vms" \
-    state.sls update.qubes-vm
-
-securedrop-update-feedback \
-    "Updates installed. Please reboot the workstation \
-to ensure the latest security fixes are applied."
diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec
index bef072488..588ef7912 100644
--- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec
+++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec
@@ -45,12 +45,10 @@ install -m 755 -d %{buildroot}/usr/share/%{name}/scripts
 install -m 644 dom0/*.sls %{buildroot}/srv/salt/
 install -m 644 dom0/*.top %{buildroot}/srv/salt/
 install -m 644 dom0/*.j2 %{buildroot}/srv/salt/
-install -m 644 dom0/securedrop-update %{buildroot}/srv/salt/
 install -m 644 dom0/securedrop-login %{buildroot}/srv/salt/
 install -m 644 dom0/securedrop-launcher.desktop %{buildroot}/srv/salt/
 install -m 655 dom0/securedrop-handle-upgrade %{buildroot}/srv/salt/
 # The next file should get installed via RPM not via salt
-install -m 755 dom0/securedrop-update %{buildroot}/srv/salt/securedrop-update
 install -m 644 sd-app/* %{buildroot}/srv/salt/sd/sd-app/
 install -m 644 sd-proxy/* %{buildroot}/srv/salt/sd/sd-proxy/
 install -m 644 sd-whonix/* %{buildroot}/srv/salt/sd/sd-whonix/
@@ -64,7 +62,6 @@ install -m 644 launcher/sdw_updater_gui/*.py %{buildroot}/opt/securedrop/launche
 %doc README.md LICENSE
 %{python3_sitelib}/securedrop_workstation_dom0_config*
 %{_datadir}/%{name}
-%{_bindir}/securedrop-update
 /srv/salt/sd*
 /srv/salt/dom0-xfce-desktop-file.j2
 /srv/salt/securedrop-*
diff --git a/setup.py b/setup.py
index 1a60c64b2..25808ed6d 100644
--- a/setup.py
+++ b/setup.py
@@ -19,7 +19,6 @@
     url="https://github.com/freedomofpress/securdrop-workstation",
     data_files=[
         ("share/securedrop-workstation-dom0-config", ["config.json.example"]),
-        ("bin/", ["dom0/securedrop-update"]),
     ],
     classifiers=(
         "Development Status :: 3 - Alpha",